LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Kyle Moffett <mrmacman_g4@mac.com>
To: David Wagner <daw-usenet@taverner.cs.berkeley.edu>
Cc: LKML Kernel <linux-kernel@vger.kernel.org>,
	Samium Gromoff <_deepfire@feelingofgreen.ru>
Subject: Re: [PATCH] Undo some of the pseudo-security madness
Date: Sun, 21 Jan 2007 19:36:27 -0500	[thread overview]
Message-ID: <1D317613-B0B6-4517-81B5-DBF3978FA413@mac.com> (raw)
In-Reply-To: <ep0tb0$f6e$1@taverner.cs.berkeley.edu>

On Jan 21, 2007, at 18:34:56, David Wagner wrote:
> [1] In comparison, suidperl was designed to be installed setuid- 
> root, and it takes special precautions to be safe in this usage.   
> (And even it has had some security vulnerabilities, despite its  
> best efforts, which illustrates how tricky this business can be.)   
> Setting the setuid-root bit on a large complex interpreter that  
> wasn't designed to be setuid-root seems like a pretty dubious  
> proposition to me.

Well, there's also the fact that Linux does *NOT* need suidperl, as  
it has proper secure support for suid pound-bang scripts anyways.   
The only reason for suidperl in the first place was broken operating  
systems which had a race condition between the operating system  
checking the suid bits and reading the '#! /usr/bin/perl' line in the  
file, and the interpreter getting executed and opening a different  
file (think symlink redirection attacks).  I believe Linux jumps  
through some special hoops to ensure that can't happen.

Cheers,
Kyle Moffett


  reply	other threads:[~2007-01-22  0:36 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-01-21 23:23 Samium Gromoff
2007-01-21 23:34 ` David Wagner
2007-01-22  0:36   ` Kyle Moffett [this message]
2007-01-22  1:53     ` Samium Gromoff
2007-02-24  9:40       ` Florian Weimer
2007-02-24 13:33         ` Samium Gromoff
2007-02-24 13:49           ` Florian Weimer
2007-01-22 15:20 ` Valdis.Kletnieks
2007-01-22 17:39   ` Samium Gromoff
2007-01-23  8:48     ` Pavel Machek
2007-01-23 14:03       ` Samium Gromoff
2007-01-23 15:41         ` Alan
2007-01-23 20:21           ` [PATCH 0/2] Mechanism to turn of ASR on a per-ELF binary basis Samium Gromoff
2007-01-23 20:28           ` [PATCH 1/2] Define the EF_AS_NO_RANDOM e_flag bit Samium Gromoff
2007-01-23 20:50             ` Jakub Jelinek
2007-01-23 21:06               ` Samium Gromoff
2007-01-23 21:16                 ` Jakub Jelinek
2007-01-23 21:54                   ` Samium Gromoff
2007-01-23 23:21                   ` Samium Gromoff
2007-01-24 17:08                     ` Pavel Machek
2007-01-29  1:18             ` Arjan van de Ven
2007-01-23 20:31           ` [PATCH 2/2] Make the EF_AS_NO_RANDOM e_flag bit disable PF_RANDOMIZE Samium Gromoff
2007-02-24  9:51           ` [PATCH] Undo some of the pseudo-security madness Florian Weimer
2007-02-24 13:36             ` Samium Gromoff
2007-01-31  9:59         ` Arjan van de Ven
2007-02-01  8:05           ` Florian Weimer
  -- strict thread matches above, loose matches on Subject: below --
2007-01-22  0:54 Samium Gromoff
2007-01-20 14:37 Samium Gromoff
2007-01-20 16:12 ` Samium Gromoff
2007-01-20 21:58 ` David Wagner
2007-01-21  2:16 ` Arjan van de Ven
2007-01-21 21:38   ` Samium Gromoff
2007-01-21 22:09   ` Samium Gromoff
2007-01-21 22:16     ` David Wagner
2007-01-22  0:35     ` Arjan van de Ven
2007-01-22  1:15       ` Samium Gromoff
2007-01-22 17:52       ` Samium Gromoff
2007-01-23  8:44         ` Pavel Machek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1D317613-B0B6-4517-81B5-DBF3978FA413@mac.com \
    --to=mrmacman_g4@mac.com \
    --cc=_deepfire@feelingofgreen.ru \
    --cc=daw-usenet@taverner.cs.berkeley.edu \
    --cc=linux-kernel@vger.kernel.org \
    --subject='Re: [PATCH] Undo some of the pseudo-security madness' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).